Through this brief analysis we uncovered something that looks suspicious. So far we have
leveraged only the geo-enriched Bro telemetry. From here, we can start to explore other
sources of telemetry to better understand the scope and overall exposure. Continue to
investigate our suspicions with the other sources of telemetry available in Metron.

Try loading the Snort data and see if any alerts were triggered.

Load the flow telemetry and see what other internal assets have been exposed to this
suspicious actor.

If an internal asset has been compromised, investigate the compromised asset's
activity to uncover signs of internal reconnaissance or lateral movement.